This slides contains animation which would not work through regular browser view. For best viewing experience, please download it and view it through Power Point Viewer.
This is a theory craft of gleaming Information Security (InfoSec) from the Book of Changes.
It is an attempt to look at InfoSec outside the box, the leading edge world of technology, from the most venerable book of knowledge.
I-Ching is known to be the Most Modern of Ancient Wisdom. It bears resemblance to binary codes and DNA. Can it provide insight to InfoSec as well?
Why Teams call analytics are critical to your entire business
I-Ching & InfoSec
1. I-Ching & InfoSec
易經和資安
Any sufficiently advanced technology is indistinguishable from magic. – A. C. Clarke
The ancient book of wisdom is indistinguishable from advanced science. – C. Lin
Chuan Lin,
CISSP
2. Summary
This is a theory craft of gleaming Information Security
(InfoSec) from the Book of Changes.
It is an attempt to look at InfoSec outside the box, the
leading edge world of technology, from the most
venerable book of knowledge.
I-Ching is known to be the Most Modern of Ancient
Wisdom. It bears resemblance to binary codes and DNA.
Can it provide insight to InfoSec as well?
3. What is InfoSec
Information Security, according to Wikipedia, is about
defending information from unauthorized access, use,
disclosure, disruption, modification, perusal, recording or
destruction.
While this is not new to the modern society, technology,
economic, and social media have created the need to
protect corporate and individual information in addition to
state government.
Information Security will be the norm from now on as what
one learns about protecting corporate and state information
can also be applied at personal level.
4. What is I-Ching
Who (者) – Fu Xi, one of the
legendary Chinese Sovereigns,
and King Wen of Zhou Dynasty,
were credited to be the authors.
When (時) – Official date was
around 1059 BC though most
believed it existed much earlier
than that. It was introduced to
the West in 17th Century.
Where (處) – It originated in
China.
What (何) – I-Ching is the
accumulated wisdom which
Chinese arts, music, philosophy,
religion, medicine, astronomy,
arithmetic, literature, military,
martial art, divination, science
and technology were derived
from.
6. At Root Level View of
Information Security
Security is about protecting. For InfoSec
Professional (InfoSec Pro), it is to ensure that
information remains confidential, integral, and
available to authorized individuals.
Information is about how a person utilizes a
given data.
If a person doesn’t know how to handle a given
data, then that information is useless.
If a person is given a wrong data, than that
information is useless.
If a person is given a set of data that she knows
and provides that data is correct, then this
information is useful.
7. Next Level View of
Information Security
A more detail analysis of
what is InfoSec:
Securing people from
reveal key information
Securing data from
unauthorized access
Securing data input from
corrupting data
Securing data output from
unlawful usage
8. Tertiary View of
Information Security, Part 1 (of 8)
What are we protecting?
People at both individual/family
and corporate/state level
People are susceptible to social
engineering, or psychological
influence, into reveal key
information that would breach
information security.
This is a challenging task because
hardening against social engineer
tended to go against our human
traits and nature.
9. Tertiary View of
Information Security, Part 2 (of 8)
What are we protecting?
Data at both individual/family
and corporate/state level
Data by itself, is very dormant and
with correct access code, very
accessible.
This is the focus of InfoSec Prof on
how to safeguard data whether it
is at rest or in transit. But this is only
a component of the bigger
picture.
10. Tertiary View of
Information Security, Part 3 (of 8)
What are we protecting?
Application
Application requires data and/or
inputs to produce desire outputs.
Its side effect is that unsecured
application can leak data.
Next to people, this presents a
challenge for InfoSec Pro since
we are not adopt to scrutinize
lines of codes or in most cases to
certify third party applications as
been secured.
11. Tertiary View of
Information Security, Part 4 (of 8)
What are we protecting?
Data Bank/Cloud/Server Farm
We generate more and more
data, and we want them to be
instantly accessible yet secure.
Cloud technology is the solution.
Most big cloud service providers
have met US government security
requirement. The physical location
(in US) is vast and with acres of
servers which make searching for
particular set of data to be
proverbial needle in hay stacks.
12. Tertiary View of
Information Security, Part 5 (of 8)
What are we protecting?
Internet
It allows us to connect with each
other and to have easier access
to information. While internet
provides us quick avenue to
information, it also gives crooks an
expeditious passage to our lives
and data.
A combination of mindful
browsing habits, secured browser,
and password manager will avoid
80% of pitfalls.
13. Tertiary View of
Information Security, Part 6 (of 8)
What are we protecting?
Home and office
We tend to think our homes as
our sanctuary and our offices as
safe working environments. This
causes us to be lax with
securing our data until rogue(s)
steal them.
Being a physical location,
security access can be
established. But problems arise
from trading security for
convenience and security lax
from daily routines.
14. Tertiary View of
Information Security, Part 7 (of 8)
What are we protecting?
Wifi
Smartphones are primary factor
for pushing data wireless. We are
already transmitted pictures via
social media apps and now,
payment information as well.
Technology to grab sensitive data
over airwave are becoming
available. Wifi jamming devices
are also popular items.
15. Tertiary View of
Information Security, Part 8 (of 8)
What are we protecting?
energy
While utility companies begin to
offer network services, they are
crucial in information security
because they provide the necessary
energy to power security devices.
A black out would render the world
best security devices useless; a
brown-out would destroy the world
best security devices. Surge
protection and alternate power
sources are part of information
security planning.
17. An Holistic View of
I-Ching/InfoSec
易有太極,是生兩儀
I(易)is Taiji that generates two
primary forces. (tr. Wilhelm and Baynes 1967:318-9)
I(易)is Information that generates
two primary sources.
As InfoSec Pro, our duty is to
protect information to make sure
it is confidential, integral, and
available.
And information concedes into
two primary sources: data &
person
太
極
18. An Holistic View of
I-Ching/InfoSec
易有太極,是生兩儀
Two primary forces in I Ching are
yin and yang.
Yin Yang
negative positive
female male
earth heaven
employees manager
0 1
data person
Yin – receiving, potential, and
passive forces of nature
Yang – giving, kinetic, and active
forces of nature
Data = Yin – data is inert and
requires a person to decipher and
act on.
Person = Yang – person is active
and able to use data to create a
useful information.
As InfoSec Pro, we need to
protect both person and data.
兩
儀
19. An Holistic View of
I-Ching/InfoSec
兩儀生四象
The two primary forces generate
the four images.(tr. Wilhelm and Baynes 1967:318-9)
Here in I Ching, the concept of
time and state is introduced
through the four images.
The two primary sources generate
the four states.
Likewise, for InfoSec, after break
down information into data and
person, we’re introduced to state
of data that need to be
protected.
四
象
20. An Holistic View of
I-Ching/InfoSec
Four ImagesFour States
Old YangPerson
Young YangInput
Young YinOutput
Old YinData
四
象
老陽/Old Yang
In I-Ching, it represents the
peak state, summer, prime,
very active, south, noon
In InfoSec, this represents
person, a small group of
people, they are capable of
generating and utilizing
data.
少陽/Young Yang
In I-Ching, it represents the
growing state, spring, young
adult, active, east, dawn
In InfoSec, this represents
data input, data is to be
processed; data is in motion
to becoming information.
少陰/Young Yin
In I-Ching, it represents the
declining state, fall, middle
age, sluggish, west, dusk
In InfoSec, this represents
data output, data has been
modified; data as
information
老陰/Old Yin
In I-Ching, it represents the
restful state, winter, senior,
restful, north, midnight
In InfoSec, this represents raw
data, unmodified data, data
storage
21. Examples of Four States of Information
Old
Yang
Young
Yang
Young
Yin
Old Yin
People
Data
Input
Data/
Data
Process
Data
Output
22. An Holistic View of
I-Ching/InfoSec
四象演八卦
The four phenomena act on the
eight trigrams (bagua)
(tr. Wilhelm and Baynes 1967:318-9)
I Ching: trigrams are nature forces
The four states act on the eight
mediums.
InfoSec: mediums are building
blocks of InfoSec world.
When we breakdown a
information system, its
components will be one of eight
mediums described in the
following slides.
八
卦
23. An Holistic View of
I-Ching/InfoSec
Qian in I-Ching
八
卦
Image in Nature sky
Wilhelm’s
Translation
the Creative
Family
Relationship
father
Body Part Head
Binary Code 111
State Active
Qian in InfoSec
Are people because we are the
active force. We create data; we
transform data into useful
information.
Example: In this PowerPoint
presentation, you are the one in
control. You can continue, stop,
rewind, or quit.
InfoSec: People are hard to
safeguard because the need to
be active vs. the need to be
restrain.
24. An Holistic View of
I-Ching/InfoSec
Kun in I-Ching
八
卦
Image in Nature earth
Wilhelm’s
Translation
the Receptive
Family
Relationship
mother
Body Part belly
Binary Code 000
State Receptive
Kun in InfoSec
Are data because they are
amenable. Data created,
manipulated, and accessed by us.
By itself, it does nothing.
Example: In this PowerPoint
presentation, words and graphic
you see are data. They simply
presented my thoughts and may
become information if you have
similar background as me.
InfoSec: Data are easiest to
safeguard because they are
inactive. But encryption will slow
down our access to them.
25. An Holistic View of
I-Ching/InfoSec
Li in I-Ching
八
卦
Image in Nature fire
Wilhelm’s
Translation
the Radiance
Family
Relationship
2nd daughter
Body Part eye
Binary Code 101
State adaptable
Li in InfoSec
Are application because they transfer
data into something useful or malicious.
Application is meaningless with data
just like fire without fuel.
Example: In this presentation, MS
PowerPoint and browser you used are
applications that manipulate and
display data into relevant information.
Without these data, PowerPoint would
open up to a blank page or your
browser would get an 404 error.
InfoSec: While it is easy to use white &
black lists to restrict applications, but
like Prometheus, someone will
inadvertently bring in the wild fire.
26. An Holistic View of
I-Ching/InfoSec
Kan in I-Ching
八
卦
Image in Nature water
Wilhelm’s
Translation
the Abysmal
Family
Relationship
2nd son
Body Part ear
Binary Code 010
State In-motion
Kan in InfoSec
Are internet because like traditional
waterways, it brings life, communication,
and commence among people from
different areas. Even now, we use terms
like torrents, phishing, upstream,
downstream, and flood to describe
situation involve with internet.
Example: In this presentation, you are
accessing it through internet for content
delivery. And like waterway, things move
quickly when there's no congestion and
when it choke, you receive your cargo in
sporadically.
InfoSec: Like traditional waterways,
companies build series of dams (aka
firewalls) to limit inflow and outflow of
commodities. The problem is, sometime
we have to find out where are leaks and
seepage.
27. An Holistic View of
I-Ching/InfoSec
Gen in I-Ching
八
卦
Image in Nature mountain
Wilhelm’s
Translation
Keeping Still
Family
Relationship
3rd son
Body Part hand
Binary Code 001
State completion
Gen in InfoSec
Are buildings and hardware because
these are the closest things that endure in
InfoSec world where things are constantly
changing. Building and hardware are
traditionally as places where wealth and
data are stored.
Example: In this presentation, you are
most likely view it in the comfort of your
home or office that protects and gives
you a sense of privacy and security. Even
a coffee shop environment is preferred
than outdoor (unless it is a perfect
weather and few traffics)
InfoSec: As a physical fixture, it is easily
defend. Locks, security devices, lights,
fixtures, and guards are used in
conjunction to deter, detect, delayed,
and denial threats.
28. An Holistic View of
I-Ching/InfoSec
Dui in I-Ching
八
卦
Image in Nature lake
Wilhelm’s
Translation
the Joyous
Family
Relationship
3rd daughter
Body Part mouth
Binary Code 110
State tranquil
Dui in InfoSec
Are cloud environment because here is
where massive amount of data are stored.
If we use the analogy of internet as
waterway, all arteries eventually flow into
lake or ocean. And if you think of the
source of tributaries, most come from
mountain (office buildings/homes).
Example: In this presentation, this power
point slide is uploaded into slideshare.net
which may end up in Amazon cloud or
Microsoft Azure or another massive data
storage location.
InfoSec: It has both a virtual and physical
location. And in both cases, the massive
sizes and # of backups, make it nearly
impossible to attacks. Instead, threats
come from stolen ID, denial of services, or
simply bomb the place out of existence.
29. An Holistic View of
I-Ching/InfoSec
Xun in I-Ching
八
卦
Image in Nature wind
Wilhelm’s
Translation
the Gentle
Family
Relationship
1st daughter
Body Part thigh
Binary Code 011
State Gentle entrance
Xun in InfoSec
Are wifi technology because data are
travelling through the air. This
technology allows people to move
away from rivulets of network cables
and let them to transfer data through
zephyr of major telecoms.
Example: In this presentation, this
PowerPoint can be view with wifi
connection and through mobile
devices.
InfoSec: This is a relatively new frontier
and brought focus to encrypting data
on the move. Most data (especially
credit card payment) transfer are
unprotected and can be easily
grabbed by another mobile device.
30. An Holistic View of
I-Ching/InfoSec
Zhen in I-Ching
八
卦
Image in Nature thunder
Wilhelm’s
Translation
the Arousing
Family
Relationship
1st son
Body Part foot
Binary Code 100
State initiative
Zhen in InfoSec
Are energy like its natural image. Info
Sec environment is depended on
energy.
Example: In this presentation, you don't
see the undercurrent energy. But you
will feel it if any of your device, the
server that housed this power point, or
any one network infrastructure in
between runs out of juice.
InfoSec: Energy is one of new area for
InfoSec Prof to be concerned of. While
blackout can knock out our layer
defenses, it also deny attackers access
to data. But when things are powered
back on, our defense network may not
be up and ready.
31. An Holistic View of
I-Ching/InfoSec
八八六十四卦
eight eights are sixty-four
hexagrams
(tr. Wilhelm and Baynes 1967:318-9)
I Ching: hexagrams described all
natural conditions in terms of
human relations. And each
condition has its 6 stages of
progression.
eight by eight creates sixty-four
situations.
InfoSec: These 64 situations have
their own life cycle and possible
disruptions.
六
十
四
卦
Discussion of 64 Hexagram/Situations is
beyond the scope of this Power Point.
33. High Level View of
Information Security through I-Ching
This is the final stage of using I
Ching method for information
security.
It is uncomprehensive to the
uninitiated but key ideas behind it
are
Beside human factor, I Ching/
InfoSec utilizes both time element
and physical location as part of
defense in layers.
Despite it seemly complexity, it is
quite portable whether apply to
physical location or to virtual
domain.
防
禦
34. Encryption in
InfoSec/I-Ching
Encryption is a necessity in
InfoSec that prevents
unauthorized access.
In previous section, I Ching
symbolism is used to relate to
Information Security.
Now, we are exploring applied
math in I Ching for Encryption.
To the right is the Yellow River
Diagram symbolism which
translate into mathematical
equation by clicking on it.
先
天
35. Encryption in
InfoSec/I-Ching
Yellow River Diagram represents
the State of Heaven at rest.
Correspondingly, this method of
encryption is for data at rest.
Here is the algorithm of encoding
and decoding data.
This is the modern interpretation
of same algorithm.
Now, as which one to use, well,
isn’t that the secret.
河
圖
36. Encryption in
InfoSec/I-Ching
To the right is the Luo River Scroll
symbolism that translated into
mathematical equation by
clicking on it.
It represents the State of Heaven
in Motion.
Correspondingly, it can represents
data in motion.
Why, because data in motion
requires fast encapsulation and
decapsulation than data at rest.
後
天
37. Encryption in
InfoSec/I-Ching
This mathematical equation is
popularly known in the West as
Sudoku.
The idea behind Sudoku is that
any lines (vertical, horizontal,
diagonal) must add up to same
number.
So during data transition, it is
encapsulated with series of
numbers that when decoded on
the other side, must add up to a
number in a Sudoku like box in
order to validate the data.
洛
書
38. Encryption in
InfoSec/I-Ching
方
圖 Prior Information Age, decoding
Sudoku was relatively easy but to
break a 1 – 64 square was a
challenge.
These symbolism can be
translated into mathematical
value.
Then the entire square looks like
this….
39. Encryption in
InfoSec/I-Ching
方
圖 Information Age brought us
incredible process power that
whatever within this square can
quickly decode.
But what if, we are to decode 4
squares of 64 numbers?
As process power improves, we
escalate the number of square by
power of 2?
These squares can be used either
for Yellow River or Luo River
encryption.
40. Encryption in
InfoSec/I-Ching
However, the problem with previous
method is it can be too encumber for
data in motion because that will
increase amount of decoding time.
Hence the concept of I Ching in time
reference. Each hexagram represents
approximately 5~6 days (number on I
Ching are example and not correct)
Time element introduces variance of
how to decode the encapsulated
encryption.
E.g. Out of 16 hash code, we’re
dropping every other 3 and 4 number.
E.g. Each of 16 hash code is multiply by
9, 8, 7 or 6
圓
圖
41. Encryption in
InfoSec/I-Ching
So by combing both square and
circular I Ching, we’re introducing
a complex encryption scheme
that is portable and yet versatile.
This is also commonly known as
the circular and square formation
of I Ching hexagrams which is
traditionally represented in 2D.
And here is the 3D rendition of the
circular and square formation.
圓
圖
43. Offensive View of Information Security
資安攻勢論
Three Types of Attackers
Individual
Organization
State/Enterprise
Purpose of the Attacks
Fame
Gains
(Economic/Terminal/scientific)
Revenge
44. Offensive View of Information Security
資安攻勢論
Currently attack techniques are
mostly web-based or through
networks.
But as network defense and
encryption are getting complex,
social engineering attacks are on
the rise.
Maybe within next 10 years,
state/enterprise level will conduct
full spectrum attacks to probe
target weakness.
Next 8 slides will discuss theoretical
threats from I Ching perspective.
45. Offensive View of Info Sec/I-Ching –
Attacking the Mind
Social Engineering - When
defensive technology is solid,
attackers may use the human
elements as an alternate attack.
Not everyone is trained to be
security mindfulness
Everyone has various degree of
Greed, Anger, and Ignorance
that can be exploited.
Identity Theft
Profits, Revenge, Cyberbully
乾
攻
心
46. Offensive View of Info Sec/I-Ching –
Attacking the Data
Extracting Data –
To gain State secrets
To gain economictechnological
advantage
To embarrass individual
Inserting Data (false)
To redirect attacks
To disrupt economic
technological advantage
To maineradicatedisable
individual (through false medical
information, identify theft)
坤
攻
資
47. Offensive View of Info Sec/I-Ching –
Attacking Applications
Hostile applications are the most
common means of attack since we
are all depended on software to
conceptualize, to convert, and to
create useful information from a set of
data.
There are gamut of PUPs (potentially
unwanted programs) ranged from
stealing, redirecting, spying, cloning,
disabling, controlling, etc.
Like arms races, threat and anti-threat
applications have escalated that in
mid 2014, Symantec acknowledged
anti-virus software by itself is no longer
adequate to stop threats.
離
火
攻
48. Offensive View of Info Sec/I-Ching –
Attacking Network
Strategically, states controlled
internet pipelines.
Tactically, states,
organizations, groups, or
individuals can control bots
that conducted either low
orbit ion cannons or high orbit
ion cannons which can cause
denial of services attacks to
knock down one or a series of
domains or networks.
坎
攻
網
49. Offensive View of Info Sec/I-Ching –
Attacking the Base
Theft is most common form of
attacks against individual
properties, homes, offices, and
corporate centers.
Nearly all of us carry sensitive
data within our portable devices.
In time of economic hardship,
employees can be bribed to
destroy or to steal corporate data
with relatively low risk to instigator.
Beside money, grievance
employees may also be willful
accomplices to data theft.
艮
攻
堡
50. Offensive View of Info Sec/I-Ching –
Attacking the Cloud
Cloud storage vendors currently
enjoy relative scale of (too big to
be hacked) operation as a
defense mean against attack.
Google Barge is the perfect
example of a mobile cloud
storage with plenty of water to
disperse heat and containers of
servers to store data.
Any attacks against Cloud
Storage Vendor will be property
destruction to prevent data for
being available.
兌
攻
雲
51. Offensive View of Info Sec/I-Ching –
Attacking the Wind
Wifi and cellular data plan offer
the convenience and mobility of
data creators.
One method of attacking is to
grab data transmitted in public
wifi area. This targets small
business owners who often used
wifi to do credit card transaction.
Another method is to create wifi
and cellular jammer to deny data
and voice communication.
巽
攻
風
52. Offensive View of Info Sec/I-Ching –
Attacking the Energy
Like cloud storage providers, utility
companies also seem to enjoy
relative scale of operation to be
safe from attacks.
But unlike cloud storage, the goal
of attacking the energy source
doesn’t have to be at the utility
site, but can be as close as local
grid where data resided.
Without backup power source,
most company’s defenses will go
offline in a blackout.
震
攻
電
53. Offensive View of Info Sec/I-Ching
資安/易經攻勢論
At individual level
The attacker has lot more
variety of motivation than
those at organization and
state level.
Some are not necessary
malicious but simply curious.
Individual only has resources
to utilize 1-2 methods of
attacks: social engineering,
theft, or DDOS.
54. Offensive View of Info Sec/I-Ching
資安/易經攻勢論
At organization/state level
Motivations are easier to
define by greed, grandeurs, or
grievance
They have sufficient resources
to coordinate attacks of
various methods.
But to use all 8 method of
attacks would constitute an
act of war even if it is direct at
an organization within the
same state.
55. Summary – 略
InfoSec is all about protecting data.
There are books, blogs, and webinars on how to protect and what to look out for.
But like all warfare, involving technology and techniques are evolving rapidly.
Sometime, it is better to step out of a box and look at InfoSec from a different
perspective.
I-Ching is not just the Book of Wisdom, or the Book of Divination. It should
also be viewed as the Book of Applied Science because of three principles
it promotes:
The I(易) is simple to understand once you realize the pattern
The I(易) is changing (just look at germinating virus, Trojans and ransomwares)
The I(易) is constant (data is the goal, whether acquiring or denying it)
56. References – 參考
Slide 33 & 41: The Yi Globe – the Cosmos in the I Ching is done by József
Drasny, Budapest, 2007 and his website: http://www.i-
ching.hu/index.htm
Following graphs are from Hackmageddon
(http://hackmageddon.com/)
Slide 43: motivations behind attacks, September 2014
Slide 43: distribution of targets, September 2014,
Slide 44: attack techniques, September 2014
Slide 53: Top 10 famous computer hackers images are from
http://h4x3r.quora.com/Top-10-famous-Computer-HACKERS
Slide 54: various images are pulled from bing image search based on
the article, http://www.topcomputersciencedegrees.com/notorious-
hacker-groups/